Putting Web Security Issues to REST

Abstract: A common security mantra is "don't roll your own" - but when developing modern web APIs, this may seem easier said than done. Unlike older, over-specified API protocols, the general concepts which underpin REST APIs do not offer much guidance on security best-practices. Worse still, some techniques that have gained widespread use have been shown to be fundamentally flawed. This session will cover some common classes of mistakes in developing and using secure web APIs, and show how reinventing the wheel can sometimes be dangerous. Along the way, we'll cover problems with authentication and authorization, information leakage, and (im)proper uses of transport-layer security, among others.

Bio: Adam Goodman is a co-founder and Principal Security Engineer at Duo Security, where he and his cohorts work to radically improve the ease-of-use in strong authentication systems. He was previously a founding engineer at Zattoo, Europe's largest live-streaming Internet TV operator, where he led the development of the secure P2P distribution and digital rights management protocols that carried the first live broadcasts of Europe's second-largest pay TV operator over the Internet. Adam also enjoys puns way too much for his own good...